Scribd
Upload
21 views

Week 03-A Student Version

The document discusses information security and privacy. It defines information security and outlines threats such as viruses, hackers and human errors. It also discusses security controls like physical, access and communication controls used to protect information systems and data. The document emphasizes the importance of contingency planning through business continuity plans, backup strategies and disaster recovery plans.

Uploaded by

rina.takendare
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
21 views

Week 03-A Student Version

The document discusses information security and privacy. It defines information security and outlines threats such as viruses, hackers and human errors. It also discusses security controls like physical, access and communication controls used to protect information systems and data. The document emphasizes the importance of contingency planning through business continuity plans, backup strategies and disaster recovery plans.

Uploaded by

rina.takendare
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

MIS101

BUSINESS INFORMATION SYSTEMS


School of Information Systems
Faculty of Business and Law

WEEK THREE – PART 1


INFORMATION SECURITY AND PRIVACY
LECTURE OVERVIEW
What is information security? How does it relate to us?

Unintentional threats to information systems.

Intentional threats to information systems.

Protection information resources.

Information security controls.

Contingency planning..
WHAT IS INFORMATION SECURITY?
• Security can be defined as the degree of protection against criminal
activity, danger, damage and/or loss.

• In broad terms, information security is about protecting an


organisation’s information assets and information system resources
from:
• Unauthorised access;
• Use;
• Disclosure;
• Disruption;
• Modification;
• Destruction.
WHAT IS INFORMATION SECURITY?
• The CIA of a secure information
systems:

1. Confidentiality;
2. Integrity;
3. Availability.

Threat .
Exposure.
Vulnerability.
© Sebastian/Age Fotostock America, Inc.
Examples of common security threats:
◦ virus, hacker, cybercrime, poor
management, human error, lack of
knowledge/awareness.
FIVE FACTORS THAT INCREASE RISK
1. Today’s interconnected, interdependent, wirelessly-networked business
environment.

2. Smaller, faster, cheaper computers and storage devices.

3. Decreasing skills necessary to be a hacker.

4. Organized crime taking over cybercrime.

5. Lack of management support.


NETWORKED BUSINESS ENVIRONMENT
SMALLER, FASTER AND PORTABLE DEVICES

© © Laggerbomber-
Dragonian/iStockph Fotolia.com
oto

© PhotoEdit/Alamy
Limited
DECREASING SKILLS NEEDED TO HACK
Readily accessible tools make it easy to attack a network.

Attacks are becoming increasingly sophisticated.

Beware the insider attack from disgruntled employees.

© Sven Taubert/Age Fotostock


America, Inc
ORGANISED CRIME TAKING OVER CYBERCRIME

© Stockbroker xtra/Age Fotostock


America, Inc
LACK OF MANAGEMENT SUPPORT

© Sigrid Olsson/Photo Alto/Age


Fotostock
UNINTENTIONAL THREATS TO INFORMATION SYSTEMS
MOST DANGEROUS EMPLOYEES
Human Resources Department.
Information Systems Department.
These ‘insider’ employees hold ALL the information.
‘Insiders’ know the systems and the weaknesses .

© Wavebreakmedia Ltd/Age
Fotostock America Ltd
HUMAN ERRORS
• Carelessness with laptops and portable computing devices;

• Opening questionable e-mails;

• Careless Internet surfing;

• Downloading and installing ‘non-vetted’ software;

• Poor password selection and use;

• And many more …


SOCIAL ENGINEERING
• Two examples:
• Tailgating;
• Shoulder surfing.

• Email scams:
• Nigerian Scam; Phishing Scams.

• Malicious websites can download Spyware.


• Log keystrokes;
• Enable unauthorised access and use.

• See DSO - 60 Minutes Interview with Kevin Mitnick


• http://www.youtube.com/watch?v=7YCOgcVgAlc (via YouTube)
DELIBERATE THREATS
Espionage or trespass.

Information extortion.

Sabotage or vandalism.

Theft of equipment or information: © Diego Cervo/Age Fotostock


America Ltd
• For example, Skip Dipping.
DELIBERATE ATTACKS
Espionage or Trespass;
Information extortion;
Sabotage or vandalism;
Denial of Service (DoS) attacks;
• DoS evolution http://www.youtube.com/watch?v=Q7deVOUXPFk (via YouTube)
Theft of equipment or information;
Identity theft;
Compromises to intellectual property;
Software attacks;
Alien soft ware;
Supervisory control and data acquisition (SCADA) attacks;
Information Warfare and Cyberterrorism.
• Estonia http://www.youtube.com/watch?v=bAv0GDvdOMA (via YouTube)
DELIBERATE THREATS
Identity theft - is the deliberate assumption of another person’s identity, usually to gain
access to their financial information or to perpetrate some crime.

Techniques include:
• Stealing mail or ‘dumpster diving’ (i.e. search someone rubbish bins for Bills or
Receipts);
• Stealing personal information from databases;
• Utilising ‘insider’ access to an organisation’s information resources;
• Impersonating a trusted organisation in an email communication (i.e. Phishing).

Recovery:
• Victim's reputation is severely compromised;
• Costly, time consuming and difficult to re-establish bona fides (i.e. identity doc’s)
and gain trust for credit, loans, insurance, jobs and community status.
DELIBERATE THREATS
Compromises to electronic property and assets:

• Intellectual property;

• Trade secret;

• Patent;

• Trademark;

• Copyright;

• Piracy.
INFORMATION SYSTEM THREATS
Software attacks:
• Virus - is a segment of computer code that performs malicious actions by attaching
to another computer program.
• Worm - is a segment of computer code that spreads by itself and performs
malicious actions without requiring another computer program.
• Trojan horse - is a software program that hides in other computer programs and
reveal its designed behaviour only when it is activated.
• Logic Bomb - is a segment of computer code that is embedded within program that
is designed to activate and perform a destructive action at a certain time and date.
• Spyware - collects personal information about users without their consent.
• Spamware - is alien software that uses your computer as a SPAM launchpad.
• Cookies - are small amounts of information that Web sites store on your
computer.
RISK MANAGEMENT
Risk:
• Risk management;
• Risk analysis.
Risk Mitigation:
• Acceptance;
• Limitation;
• Transference.
Auditing:
• Around the computer © Youri van der Schalk/Age
• Through the computer Fotostock America Inc.

• With the computer


• Physical
INFORMATION SECURITY CONTROLS
Social Controls:
• State, national and international laws.
• Best practices.
• Social conventions.

Physical Controls:
• Guards, Fences, Gates and Locks.

Access Controls – are about Authentication:


• Something the user is (biometrics)?
• Something the user has?
• Something the user does?
• Something the user knows?
INFORMATION SECURITY CONTROLS
Authorisation :
• Privilege, Least Privilege.

Communication Controls:
• Firewalls;
• Anti-malware systems;
• Whitelisting and Blacklisting;
• Encryption;
• VPN, SSL and Employee monitoring systems.
WHERE CONTROLS ARE LOCATED
BASIC FIREWALL CONFIGURATIONS
COMMUNICATION CONTROLS
Encryption:
• Converting an original message into a form that can only be read by the intended receiver.
• Public key encryption (asymmetric encryption).
• Digital certificate.

Virtual private networking (VPN):


• Use logins and encryption to establish secure, private connection on a public network like the internet.

Secure Socket Layer (SSL):


• An encryption standard for secure transactions such as credit card purchases and online banking.

Employee monitoring systems:


• Monitor employees’ computers, e-mail, and internet activities.
Communication Controls
 How Public Key Encryption Works:
Communication Controls
 How Digital Certificates Work:
Communication Controls
How a VPN Works:
CONTINGENCY PLANNING
Business Continuity Plan:
• In business continuity and risk management, a contingency plan is a process
that prepares an organization to respond coherently to an unplanned event.
Backup:
• Hot Site.
• Warm Site.
• Cold Site.

Planning and Preparation Goals:


• Plan to manage disaster circumstances;
• Develop resilience to recover quickly;
• Getting the business back to normal operation, as quickly as possible.
CONTINGENCY PLANNING
Incident Response Plan (IRP):
• Includes a policy that defines, in specific terms, what constitutes an incident and
provides a step-by-step process that should be followed when an incident
occurs.

Disaster Recovery Plan (DRP):


• Documents policies, procedures and actions to limit the disruption to an
organization in the wake of a disaster.

Business Continuity Management (BCM):


• Is a framework for identifying an organization's risk of exposure to internal and
external threats.

Disaster Preparedness Drill http://www.youtube.com/watch?v=Zhmk8IEDSrs (via YouTube)


WHAT TO DO NOW?
Homework:
Do summaries and quizzes as per the homework guide.
READING
1. First Australasian Edition: Gray et al (2015) – Chapter Seven (p.205-243) & Chapter Six
(p.181-200).
2. U.S. 2nd Edition: Rainer, Prince & Watson (2013) – Chapter Seven (p.226-266) & Chapter
Six (p.202-222).
• Also suggested review of Plug IT In 6 (p.612-634).

TO DO’s
Revision and develop your lecture notes for exam preparation.
Pre-read and attempt this week’s Tutorial.
• Come to class prepared to ask and answer questions.
• Start writing your assignment NOW.

You might also like